In my previous post, I described how a board came close to approving a cyber risk model that had missed hundreds of vendors and devices. Nothing in the dashboard suggested anything was wrong. The number looked precise. The methodology was sound.
Until one director paused, looked at the numbers, and asked the one question that wasn’t on the deck.
That moment stayed with me. It was the silence before the question. The board was ready to move on. The output felt credible.
And in that moment, asking something different required a particular kind of will. The willingness to slow a room down when the room wants to move forward.
In many boardrooms, that question never comes.
Not because the board is negligent, but because when the output feels credible and the methodology is sound, challenging it can feel like disruption rather than governance.
Not all questions are equal. Some seek information. Is this project on budget?
Others test whether the answer itself can be trusted. What would have to be true for this budget to still be accurate in six months?
The second kind is rarer. It’s the one that usually arrives in the car on the way home, or not at all.
The moment is powerful, but also fragile.
Because if governance depends on one individual choosing to intervene, it is already exposed.
If the system needs courage to function, it is already poorly designed.
This is where governance is often misapplied. Boards focus on the decision in front of them. The real exposure sits in how that decision was formed.
The challenge is not just the question, but whether the system was designed to surface it before the moment requires courage.
In well-governed organisations, that challenge is not left to chance. It is designed into how decisions are formed, tested and presented. Assumptions are made visible. Boundaries are made explicit. Models are interrogated before they reach the point of approval.
As AI generates outputs that are faster, cleaner and more compelling, the board’s role shifts from accepting outputs to challenging the thinking behind them. AI can generate the output. It cannot question its own assumptions.
That doubt has to be designed in.
That responsibility sits with the board. But it should not sit with the board alone. It should be embedded in the governance design that shapes how those outputs are created.
If a decision cannot be interrogated at the level it was formed, it is not governed.
If the model is wrong, would we know?
